[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: User Administration

On Tue, Nov 02, 2004 at 01:31:55PM +0100, Runo Forrisdahl wrote:
> On Tue, Nov 02, 2004 at 08:33:07AM +0100, Finn-Arne Johansen wrote:
> |
> | First lets see what we want to achive:
> |  Someone that dont have root access be allowed to update the ldap DB.
> | 
> | <...>
> |
> | Solution:Extend wlus to allow user to authenticate as ldap admin with
> |          the ldap-admin password, even though the user has
> |          authenticated as themself. 
> 
> Why do they need a ldap-admin password. If they are member of admins or jr.
> admins group schouldn't that be sufficient?

I'm not sure how much effort is put into the use fine-graining acl in
Skolelinux. But the way things are set up now, and the way wlus works,
you need to log in as root to webmin to be able to modify other users
information in wlus. When logged in as root you are authenticated using
the ldap admin user object, and you have to enter the admin password.
This is by design. To let users other than root be allowed to edit
other accounts then their own, you have to modify the acl in some way,
and possibly also wlus. You may be able to use something like
 http://freshmeat.net/projects/webmin-openldap/
to modify the acl via webmin, but that is untested and unsupported. 

The long term solution is either to add something on top of ldap/wlus,
like cerebrum, feide or something like that, or fine some way to add
acl with groups in openldap configuration file /etc/ldap/slapd.conf. 

The short term solution is to modify wlus to let the admin group authenticate as
ldap admin, using the ldap admin password, or to extend the acl in
/etc/ldap/slapd.conf.

I would guess that the work involved with the short term solution is
8-24 hours of work. 

> On Tue, Nov 02, 2004 at 09:14:14AM +0100, Andreas Schuldei wrote:
> | > that approach has the fundamental drawback to have several people
> | > operate on the same account with root/admin authority. that
> | > increases the danger of password leakage and makes abuse harder
> | > to detect. i would not want to persue this solution for that
> | > reason.
> 
> Even though it's a drawback and danger I would render the gain this
> functionality gives greater. After all it's only the LDAP that's going to be
> currupted, and with a sane backup rutine you'll be online sooner rather than
> later.

I Agree

> | > | 2) with the future cerebrum backend and ldap as the directory
> | > |    frontend, and webmin as the gui
> | > |    - switch webmin-ldap-user-simple to use cerebrum as a backend.
> | > |      (2-4 weeks)
> | > |    - get the cerebrum package up to speed 3-5 weeks including
> | > |      preconfiguration, a debian-edu profile with spreads etc,
> | > |      (work in progress)
> | > |    - get import and export filters written (uncertain, might take
> | > |      only a week)
> | > |    - provide an upgrade path from flat files (2 weeks?) or
> | > |      present WLUS setup with data stored in ldap (4 weeks)
> | > |    - more work which i am unaware of atm
> | > |    this option is the one i pursue right now and that i would
> | > |    recommened to consider more closely. see also
> | > |    http://developer.skolelinux.no/~andreas/wishlist.txt
> 
> Will this option 2 be backported into Skolelinux 1.0?

I dont know this. I currently focus on bringing a sarge based
Debian-edu. I guess that will come before cerbrum. 

-- 
Finn-Arne Johansen 
faj@bzz.no
http://bzz.no/
Reply to: